Release Notes for Cisco Policy Suite for Release 7.0.5 First Published: May 19, 2015 Last Updated: June 30, 2015 Release 7.0.5 Contents This document describes the new features, feature versions and limitations for the Cisco Policy Suite software. Use this document in combination with documents listed in the “Obtaining Documentation and Submitting a Service Request” section on page 32. This document includes the following sections: • New and Changed Information, page 1 • Installation Notes, page 5 • Limitations and Restrictions, page 20 • CDETS, page 27 • Related Documentation, page 31 • Obtaining Documentation and Submitting a Service Request, page 32 New and Changed Information This section describes the new and changed features in this release. New Software Features in 7.0.5 The following features have been added in Release 7.0.5: • Grafana User Authentication Cisco Systems, Inc. www.cisco.com New and Changed Information • Gx Message Processing Traps • High CPU Usage Traps • Logical Operator Support in Programmatic CRD tables for RxSTGConfiguration • Session Cache Hot Standby • Support for Diameter Realm Wildcarding • Support for More than One Sd Destination Realm • Support of Charging Parameters from CRD Table for Dynamic Rules Grafana User Authentication This release introduces authentication for Grafana users. In previous releases no authentication was needed to access Grafana: https://lbvip01:9443/grafana Note After installing or upgrading to this release, you must create at least one user to be able to access Grafana. For information related to user authentication configuration, refer to User Authentication in CPS 7.0.5 Operations Guide. Gx Message Processing Traps The following new Application Notifications (traps) have been introduced to generate an alarm when CPS Gx message processing drops below the specified threshold. Name Feature Severity Message Test Gx Message processing Dropped Application Critical Gx Message processing Dropped If Gx Message CCR_I dropped below 95% on qns<<xx>> VM. If Gx Message CCR_U dropped below 95% on qns<<xx>> VM. If Gx Message CCR_T dropped below 95% on qns<<xx>> VM. Gx Message processing Normal Application Clear Gx Message processing Normal If Gx Message CCR_I Normal if below 95% on qns<<xx>> VM. If Gx Message CCR_U Normal if below 95% on qns<<xx>> VM. If Gx Message CCR_T Normal if below 95% on qns<<xx>> VM. For configuration related information, refer to Configure the Gx Message Processing Threshold in CPS 7.0.5 Alarming and SNMP Guide. Release Notes for Cisco Policy Suite for Release 7.0.5 2 New and Changed Information High CPU Usage Traps The following new Component Notifications (traps) have been introduced to generate alarms for high CPU usage on any CPS VMs. Name Feature Severity Message Text High CPU Usage Alert Component Critical CPU Usage is higher than alert threshold on `hostname`. Threshold=$Alert_Threshold%, Current_LOAD=$Current_load% This trap is generated whenever CPU usage on a VM is higher than the alert threshold value. High CPU Usage Clear Component Clear CPU Usage is below the clear threshold on `hostname`. Threshold=$Alert_Threshold%, Current_LOAD=$Current_load% This trap is generated whenever CPU usage on a VM is lower than the clear threshold value. It is generated only when High CPU Usage Alert was generated earlier. For configuration related information, refer to Configure High CPU Usage Alarm Thresholds and Interval Cycle in CPS 7.0.5 Alarming and SNMP Guide. Logical Operator Support in Programmatic CRD tables for RxSTGConfiguration Old behavior: CPS did not support range checking while doing programmatic CRD table evaluation. New behavior: CPS users can now configure the CRD table to check requested value present within the range of values present in the CRD tables and fetch the matching records. CRD tables now support Maximum and Minimum columns for each AVP. For example, for MBR_UL AVP, user should create MBR_UL_Max and MBR_UL_Min columns. CPS then uses the min and max to check the range. Note This functionality is currently available for RxSTGConfiguration only. For more information on configuration, refer to Logical Operator Support in Programmatic CRD Tables for RxSTGConfiguration in CPS 7.0.5 Mobile Configuration Guide. Session Cache Hot Standby Session data is highly concurrent, the application always reads and writes from the primary database. The secondary database(s) provide HA for the primary in the event of VM shutdown or process shutdown. Hot standby session cache replica set is configured to take over the load while primary database is failing over to secondary session cache database. In this fail-over process, it minimize the call failures and provide high system availability. Release Notes for Cisco Policy Suite for Release 7.0.5 3 New and Changed Information For more information on session cache hot standby, refer to Session Cache Hot Standby in CPS 7.0.5 Installation Guide. Support for Diameter Realm Wildcarding CPS now supports diameter realm wildcarding for inbound peers under the Diameter Stack configuration. Tip Whenever possible, use exact values instead of patterns to maintain clarity. A poorly constructed pattern or loose pattern increases the potential for accepting peers/realms that would not otherwise be allowed. For more information on realm wildcarding for inbound peers, refer to Support for Diameter Realm Wildcarding for Inbound Peers in CPS 7.0.5 Mobile Configuration Guide. Support for More than One Sd Destination Realm Old behavior: In previous releases, only one Sd destination realm could be provisioned in CPS (Policy Builder/Service Option/Use Case). New behavior: In this release, the CRD table can be configured with Gx-Host and/or Gx-Realm as inputs and Sd-Realm as output. For more information on multiple Sd destination realm configuration, refer to Support for More than One Sd Destination Realm in CPS 7.0.5 Mobile Configuration Guide. Support of Charging Parameters from CRD Table for Dynamic Rules Old behavior: Currently, CPS supports the selecting charging parameters using Rx profile having input as media type and AF Application Identifier for dynamic charging parameters and Sponsor-Identity, Application-Service-Provider-Identity, Media-Type for sponsor data. New behavior: CPS take values from CRD table for media type and AF Application Identifier along with parameter of Gx session and user profile based on that will derive the dynamic charging parameters. Charging parameter should be derived when sponsored data feature has been configured in CRD with Sponsor-Identity, Media-Type, Application-Service-Provider-Identity, some input from Gx and SPR profile. Two new service objects have been introduced in policy builder: RxChargingParameterSTGConfiguration and RxSponseredDataChargingParameterSTGConfiguration. For more information on configuration, refer to Support of Charging Parameters from CRD Table for Dynamic Rules in CPS 7.0.5 Mobile Configuration Guide. Release Notes for Cisco Policy Suite for Release 7.0.5 4 Installation Notes Installation Notes Download ISO Image Download the 7.0.5 software package (ISO image) from: http://spswag-qns-bld2/Customer_Releases/ATT/patches/MR_7.0.5/QPS_7.0.5_20150410_3659.iso Md5sum Details: d4a2889d03f65189cf21c12f25e76bf6 - QPS_7.0.5_20150410_3659.iso This image can be used to perform a new installation as well as for upgrading an existing CPS system. Feature Versions The following table lists the component versions for the CPS 7.0.5 Release: Component Version Core 7.0.5.release Audit 1.4.5.release Balance 3.4.5.release Cisco API 1.0.5.release Cisco CPAR 1.0.5.release Congestion Reference Data 1.2.5.release Control Center 3.4.5.release Customer Reference Data 2.4.5.release DHCP 1.4.5.release Diameter2 3.4.5.release Fault Management 1.0.5.release ISG Prepaid 1.8.5.release LDAP 1.5.5.release Notifications 5.8.5.release Policy Intel 2.2.5.release POP-3 Authentication 1.4.5.release RADIUS 3.3.5.release Recharge Wallet 1.2.5.release Scheduled Events 1.3.5.release SCE 2.1.5.release SPR 2.3.5.release Unified API 2.3.5.release Web Services 1.5.5.release Release Notes for Cisco Policy Suite for Release 7.0.5 5 Installation Notes New Installations To perform a new installation of CPS 7.0.5, follow these steps: Step 1 Mount the ISO image to the Cluster Manager as described in the CPS Installation Guide. Step 2 Before executing install.sh script from the /mnt/iso directory, refer to CSCuu16366 — Initial install requires csv files under Additional Notes. Step 3 Select the new installation option as described in the CPS Installation Guide. Upgrading an Existing CPS Installation To upgrade from 7.x, refer to Chapter 4 of the CPS Installation Guide. To migrate from 6.x, refer to Chapter 5 of the CPS Installation Guide. Note Before upgrading, back up any configuration files which you modified. These files include (but are not limited to) haproxy.cfg, haproxy-diameter.cfg, and snmp.conf. Note If a user selects the upgrade option when running install.sh, a new prompt is added for the user to pick the repository (in this example, configuration or run). If the user does not pick anything, the default is configuration, as shown in the example below. read existing deployment data if exists... collecting SM data... collecting GEO data... Please select the type of installation to complete: 1) New Deployment 2) Migration from pre 7.0 system 3) Upgrade from existing 7.x system 3 Upgrading... Please pick a svn repository to backup the policy files [configuration]: configuration/ run/ :configuration The above mentioned step copies the SVN/policy repository from the pcrfclient01 and stores it in the Cluster Manager. Later when pcrfclient01 is upgraded, the SVN/policy files will be preserved. Note Only the ‘configuration’ option is currently supported. Post Upgrade Steps Re-apply Configuration Modifications After the upgrade is finished, compare your modified configuration files that you backed up earlier with the newly installed versions. Make any necessary updates. Release Notes for Cisco Policy Suite for Release 7.0.5 6 Installation Notes Verify Configuration Settings After the upgrade is finished, verify the following configuration settings. Note Use the default values listed below unless otherwise instructed by your Cisco Technical Representative. Note During the upgrade process these configuration files are not overwritten. Only during a new install will these settings be applied. The parameters in bold text are new or updated in this release. For definition of the newly added parameters, refer to the table at the end of this section. • /etc/broadhop/qns.conf -DnodeHeartBeatInterval=9000 -Dcom.mongodb.updaterIntervalMS=400 -Dcom.mongodb.updaterConnectTimeoutMS=600 -Dcom.mongodb.updaterSocketTimeoutMS=600 -DdbSocketTimeout=1000 -DdbConnectTimeout=1200 -Dmongo.client.thread.maxWaitTime=1200 -Dstatistics.step.interval=1 -DshardPingLoopLength=3 -DshardPingCycle=200 -DshardPingerTimeoutMs=75 -Ddiameter.default.timeout.ms=2000 -Dmongo.connections.per.host=5 -Dmongo.threads.allowed.to.wait.for.connection=10 -DmaxLockAttempts=3 -DretryMs=3 -DmessageSlaMs=1500 -DmemcacheClientTimeout=200 -Dlocking.disable=true Note: The following settings should be present only for GR (multi-cluster) CPS deployments: -DclusterFailureDetectionMS=1000 • /etc/broadhop/pcrf/qns.conf and /etc/broadhop/diameter_endpoint/qns.conf -Dzmq.send.hwm=5000 -Dzmq.recv.hwm=5000 • /etc/broadhop/iomanager01/qns.conf and /etc/broadhop/iomanager02/qns.conf -Dzmq.send.hwm=1000 -Dzmq.recv.hwm=1000 • /etc/broadhop/diameter_endpoint/jvm.conf -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -XX:+DisableExplicitGC -Xms2g -Xmx2g • /etc/broadhop/pcrf/jvm.conf -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -XX:+DisableExplicitGC -Xms4g Release Notes for Cisco Policy Suite for Release 7.0.5 7 Installation Notes -Xmx4g • /etc/broadhop/iomanager01/jvm.conf and /etc/broadhop/iomanager02/jvm.conf -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -XX:+DisableExplicitGC -Xms2g -Xmx2g Parameter Definition -DshardPingLoopLength -DshardPingCycle -DshardPingerTimeoutMs For internal use only, do not modify. -Dzmq.send.hwm -Dzmq.recv.hwm These parameters define the maximum number of messages (hwm = high water mark) allowed per second between Load Balancer VMs and the CPS (qns) VMs. Verify Sessionmgr DB Processes Verify also that all the sessionmgr DB's are running with --noprealloc and --smallfiles options enabled. For example, on any sessionmgr: # ps -ef | grep mongo | grep 27717 root 5305 1 21 Mar20 ? 18:40:38 /usr/bin/mongod --nojournal --noprealloc --smallfiles --port 27717 --dbpath=/var/data/sessions.1/e --replSet set01e --fork --pidfilepath /var/run/sessionmgr-27717.pid --oplogSize 1024 --logpath /var/log/mongodb-27717.log --logappend --quiet --slowms 500 # ps -ef | grep mongo | grep 27737 root 5377 1 31 Mar20 ? 1-03:28:24 /usr/bin/mongod --nojournal --noprealloc --smallfiles --port 27737 --dbpath=/var/data/sessions.1/e2 --replSet set01e2 --fork --pidfilepath /var/run/sessionmgr-27737.pid --oplogSize 1024 --logpath /var/log/mongodb-27737.log --logappend --quiet --slowms 500 Note The ulimit parameter should not be set in the sessionmgr DB’s configuration files as it restrict file descriptors open per user. Verify Logback.xml Step 1 After the upgrade is finished, verify that the logback.xml file was updated: grep SYSLOG /etc/broadhop/controlcenter/logback.xml If no SYSLOG instructions are found, as shown below, continue with Step 2. <!--SYSLOGAPPENDER_PLACEHOLDER--> <!--SYSLOGAPPENDER_REF_PLACEHOLDER--> Step 2 (Optional) Step 3 below will overwrite the existing copy of logback.xml file. If you have made customizations to this file, you must make a backup before continuing and manually merge these changes into the new version after upgrade. Use the following example command to copy the customized logback.xml file to a backup directory: cp -af /etc/broadhop/controlcenter/logback.xml /<backup-directory-location> Release Notes for Cisco Policy Suite for Release 7.0.5 8 Installation Notes Step 3 Manually copy the logback.xml file: cp -af /var/qps/install/current/config/mobile/etc/broadhop/controlcenter/logback.xml /etc/broadhop/controlcenter/ Step 4 Execute the following commands to update the logback.xml file: /var/qps/install/current/scripts/build/build_all.sh /var/qps/install/current/scripts/upgrade/reinit.sh TACACS+ Enabler The enable_tacacs+ utility can be used to configure the Cluster Manager VM for TACACS+-based authentication. The utility achieves this by first validating if TACACS+ has been configured properly using the Configuration sheet of CPS Deployment Template (Excel spreadsheet). Assuming the required values are provided, the utility will then selectively apply several Puppet manifests to enable TACACS+ authentication on the target VM. To use the enable_tacacs+ utility, an operator should perform the following steps. Step 1 Acquire shell access on the target VM with the ability to execute operations with root privileges. Step 2 Extract the utility package using the `tar` utility on the target VM: # cd /var/qps/install/current/scripts/documents # tar -zxvf tacacs_enabler.tar.gz tacacs_enabler/enable_tacacs+ tacacs_enabler/README.md Step 3 (Optional) Copy the utility to the /var/qps/bin/support/ directory: # cp tacacs_enabler/enable_tacacs+ /var/qps/bin/support/ Note: This step places the utility into a directory which should be in the `PATH` on the target VM. While not required, this simplifies execution of the script for the later steps. Step 4 (Optional) Execute the script in check mode to validate the configuration values: # enable_tacacs+ clustermgr --check Detected VM node type: clustermgr Generating facts based on current deployment configuration Validating TACACS+ configuration settings: * Found required setting for 'tacacs_secret' * Found optional setting for 'tacacs_debug' * * * * Found Found Found Found optional optional required required setting setting setting setting for for for for 'tacacs_debug' 'tacacs_timeout' 'tacacs_server' 'tacacs_enabled' Configuration appears to be complete. You should be able to enable TACACS+ on this 'clustermgr' node by executing this command without the '--check' command-line option. Step 5 Execute the script without the '--check' command-line option to apply the configuration: # enable_tacacs+ clustermgr Detected VM node type: clustermgr Generating facts based on current deployment configuration Release Notes for Cisco Policy Suite for Release 7.0.5 9 Installation Notes Validating TACACS+ configuration settings: * Found required setting for 'tacacs_secret' * Found optional setting for 'tacacs_debug' * Found optional setting for 'tacacs_timeout' * Found required setting for 'tacacs_server' * Found required setting for 'tacacs_enabled' Executing Puppet to apply configuration: ... Puppet output ... Notice: Finished catalog run in 34.57 seconds Step 6 Validate that TACACS+ authenticated users are now available on the target VM: # id -a <TACACS+ user> Additional Notes The following section contains some additional notes which are necessary for proper installation of CPS: • Session Manager Configuration: After a new deployment, session managers are not automatically configured. build_set.sh needs to be executed to configure all the replication sets. From the pcrfclient01, execute: /var/qps/bin/support/mongo/build_set.sh --sessionmgrVM --create** Edit the /etc/broadhop/mongoConfig.cfg file. Make sure all of your data paths are set to /var/data and not /data. • By default, CPS is installed without the password being set for qns user. User needs to set it manually for the system, change_passwd.sh script can be used to set the password. • In Cluster Manager, compare the following four files. If they are different, copy the file from the /var/qps/install/current/config/ directory to the /etc/broadhop/ directory. /etc/broadhop/diameter_endpoint /var/qps/install/current/config/mobile/etc/broadhop/diameter_end /jvm.conf point/jvm.conf /etc/broadhop/iomanager01/jvm. /var/qps/install/current/config/mobile/etc/broadhop/iomanager01/ conf jvm.conf /etc/broadhop/iomanager02/jvm. /var/qps/install/current/config/mobile/etc/broadhop/iomanager02/ conf jvm.conf /etc/broadhop/pcrf /jvm.conf /var/qps/install/current/config/mobile/etc/broadhop/pcrf/jvm.conf • Default gateway in lb01/lb02: After the installation, the default gateway might not be set to the management LAN. If this is the case, change the default gateway to the management LAN gateway. • CSCuq83478: Diameter haproxy configuration is not correct for IPv6 addresses. Fix: IPv6 tables need to be turned OFF for IPv6 traffic on lb01, lb02. Management and IPv6 Gx traffic should be on different VLANs in VLAN.csv file at the time of deployment. • The datastore names in the ESX server must not contain spaces. If the datastore name contains spaces, you will not be able to deploy VMs. • CSCur77002: When creating the Cluster Manager, instead of using the default E1000 adapter, select the VMXNET 3 driver from the Adapter drop-down list on Create Network Connections window. To improve network throughput for CPS, apply the same change to all other VMs in the cluster. Release Notes for Cisco Policy Suite for Release 7.0.5 10 Installation Notes • CSCus25173: When deploying VMs that have 5 or more virtual NICs, an issue can arise with the VMware VMXNET driver where the Ethernet interfaces are not assigned to the NICs in the correct order. This is a known issue with the VMware driver. This results in VMs which do not have connectivity to any systems in the same subnet as specified in the /etc/sysconfig/network-scripts/ifcfg-eth* scripts for a particular interface. To correct this issue, after deploying the VMs, reboot any VMs that are configured with 5 or more virtual NICs. This is necessary only for new deployments. Note: For the pcrfclient01/pcrfclient02 VMs, the eth0 MAC address reported in the VMware Virtual Machine properties will not match what is listed in the VM’s ifconfig -a | grep HW command output. This mismatch can be ignored. CSCuu16366 — Initial install requires csv files Problem: Without csv files, new CPS installation does not complete. Fix: Install csv files into the proper directory and rerun install.sh. When you get the following message during new installation: Would you like to initialize the environment... [y|n]: y ---- Enter y to continue Enter n to stop and then execute the following commands: mkdir /var/qps/config mkdir /var/qps/config/deploy mkdir /var/qps/config/deploy/csv Next run ./install.sh again with the same selected install type and then choose y to initialize the environment. CSCuu63697 — QPS: Audit config in default mobile SVN needs to be in the PB gui Problem: During new installation of either an AIO or an HA system using 7.0.5 software package, the Audit configuration is missing from the Policy builder GUI. This causes errors in the diagnostics and the qns node logs and doesn't allow the system to function properly. Fix: Connect to the Policy Builder GUI. Go to the Reference Data tab > Systems > Plugin Configurations and add Audit Configuration. CSCus95839 — TACACS - Incorrect bash prompt & file permission Problem: The bash prompt is not correct when a TACACS user is logged in into the system. Only occurs for read-only user. The root cause is .bashrc_profile is missing from /home/qns-ro/ directory. Fix: Manually copy the .bashrc_profile from /home/qns-su/ directory to /home/qns-ro/ directory. CSCus90088 — Diameter Rating Failed Being Returned Over Gy Interface Problem: Gy session is not binding to correct Gx session when there are multiple Gx sessions created from different APNs. Release Notes for Cisco Policy Suite for Release 7.0.5 11 Installation Notes Fix: Step 1 Add a Gy Client under Reference Data > Diameter Clients > Gy Clients as shown in the example. Step 2 Add Gy client (for example PGW) Origin Realm in the Realms pane. Step 3 Check Load By Apn And User Id. Step 4 Save and Publish the configuration. CSCut27207 — 'Lookaside Key Prefixes' config for better Gx/Rx system performance Step 1 To improve Rx lookup and caching performance, the following three parameters should be manually defined under ‘system-1 > cluster A’ and ‘system-1 > cluster B’ configuration (against Lookaside Key Prefixes) as shown: • diameter • RxTGPPSessionKey • FramedIpv6 Release Notes for Cisco Policy Suite for Release 7.0.5 12 Installation Notes This enables caching the records and give higher TPS. Release Notes for Cisco Policy Suite for Release 7.0.5 13 Installation Notes Step 2 Under the Diameter Plugin Configuration, set the Message Sla Ms field to 1500 for better performance as shown below. This is the Spending-Limit-Answer in milliseconds: Step 3 Remove the EndPoint Admin DB config from cluster B. Step 4 Save and Publish the configuration. In order to identify the correct shard for subscriber lookup/query, PCRF needs to know the secondary key (which is internally stored in secondary key cache) for mapping and the exact shard that will be queried for subscriber data. This would prevent the system from scanning/querying all the available shards in the system to fetch the subscriber record which eventually leads to enhanced system performance. CSCut21867 — Error on both the lbs in the output of top_qps.sh Problem: When TPS is high, qns fails to respond to control center on pcrfclient01 via JMX. Fix: Handling socket exception by reconnecting JMX client. Step 1 Edit /etc/broadhop/qns.conf on the Cluster Manager VM. Step 2 Add the following two parameters: -Djava.rmi.server.disableHttp=true -Dsun.rmi.transport.tcp.handshakeTimeout=90000 Release Notes for Cisco Policy Suite for Release 7.0.5 14 Installation Notes Step 3 Save the changes. Step 4 Run the following commands to copy the new configuration file to all nodes and restart CPS. /var/qps/bin/control/copytoall.sh /var/qps/bin/control/restartall.sh CSCut24918 — QPS responding with 2001 in CCA-I for subscriber non-existent in MIND Problem: While running a 4G call with a subscriber not defined in MIND, it was observed that CPS responded with DIAMETER_SUCCESS(2001) in CCA-I instead of DIAMETER_AUTHORIZATION_REJECTED(5003). CPS responded with 2001 because the LDAP query response was successful but there were no attributes returned by the LDAP query. CPS also does not support configuration of custom policies to send 5003 error response (or session-release RAR) because there are no 'policy conditions' available in Policy Builder to check this scenario. Fix: Added support to create a new attribute 'NO_LDAP_ATTRIBUTE_FOUND' to the profile when LDAP response is successful but there are no LDAP attributes returned in the LDAP query. To configure a policy based solution to reject the call based on account status: Step 1 Create a policy under ‘Secondary USuM Subscriber Load’ to check for if the LDAP response returned no attributes and accordingly raise a policy-error with 5003 error code. With this policy CPS will respond to CCR-I with 5003 diameter error code when subscriber is not present on LDAP (no attributes returned). Step 2 Add a condition to check if there is an LDAP attribute with name ‘NO_LDAP_ATTRIBUTE_FOUND’, as shown: Release Notes for Cisco Policy Suite for Release 7.0.5 15 Installation Notes Step 3 Add another condition to check if there is a diameter message available. With this condition, the policy will be hit only when there is a diameter message (for example CCR-I/U). Step 4 Add an action to the policy to raise a policy-error with error-code 5003. Release Notes for Cisco Policy Suite for Release 7.0.5 16 Installation Notes Step 5 Add another action to remove the diameter gx session from policy-state. Step 6 To trigger RAR for session-reset, create a ‘ResetDiameterSession’ use-case template for GX_TGPP protocol. This service option should be added for all LDAP related services. Release Notes for Cisco Policy Suite for Release 7.0.5 17 Installation Notes Step 7 On the ResetDiameterSession template add a use-case initiator to trigger this service option only when there is an LDAP attribute with name ‘NO_LDAP_ATTRIBUTE_FOUND’. Step 8 Save and Publish the configuration. CSCut32083 — AKR: AF Application ID Problem: There is a section in Policy Builder that requires mapping of AF Application ID to called-station-id. See: Reference Data > Diameter Defaults > Rx Profiles > Rx Profile. Instead of called-station-id, CPS should use logical APN. Fix: CPS now supports Logical APN AVP Name. To configure in Policy Builder: Release Notes for Cisco Policy Suite for Release 7.0.5 18 Installation Notes Step 1 Configure the Logical APN AVP name (Eg. Column name from the logical avp CRD) in Diameter Defaults > Gx Profile > Logical APN. Step 2 Configure the list of logical apn names in the APN column for each AF Application Identifier under Diameter Defaults > Rx Profile > AF Application Id Validation table. Step 3 Save and Publish the configuration. CSCut11484 — Leaking PAS connections (outbound peers) Root Cause Analysis (RCA) Peer deleted from the diameter configuration in Policy builder, even though Reconnect Thread tries to connect the deleted peer. Release Notes for Cisco Policy Suite for Release 7.0.5 19 Limitations and Restrictions Fix Remove the peer from the map on Policy Builder publish, so that Reconnect Thread doesn't try to connect the peer which is deleted from the diameter configuration in Policy Builder. Limitations and Restrictions This section covers the following topics: • Limitations • Common Vulnerabilities and Exposures (CVE) • If you have a system with old installer (6.1 or prior), it is mandatory to use the new installer to create VMs and use the new release trains. The latest 7.0.5 release train does not work with the old environment (AIO/HA). • Solicited Application Reporting Limitations The following are some restrictions on configuration for the new service options: – The pre-configured ADC rule generated by CRD lookup has ADC-Rule-Install AVP definition with support for only three AVPs ADC-Rule-Name, TDF-Application-Identifier, Mute-Notification. – For AVPs which are multi-valued, CRD tables are expected to have multiple records - each giving the same output. – Comma(,) is not a valid character to be used in values for referenced CRD column in SdToggleConfiguration. – AVP Table currently only supports OctetStringAvp value for AVP Data-type. • During performance testing, it has been found that defining a large number of QoS Group of Rule Definitions for a single sessions results in degraded CPU performance. Testing with 50 QoS Group of Rule Definitions resulted in a 2x increase in CPU consumption. The relationship appears to be a linear relationship to the number of defined QoS Group of Rule Definitions on a service. • Hour Boundary Enhancement Change to cell congestion level when look-ahead rule is already installed: If a cell value changes for current hour or any of the look-ahead hours, there will be no change in rule for the rules which rules are already installed. No applicability to QoS Rules: The look-ahead works for PCC rules only where we have rule activation/deactivation capabilities and can install upcoming changes in advance. However, if the RAN Congestion use case is changed to use the QoS-Info AVP instead of using PCC rules, we need to fall back to the current RAR on the hour boundary implementation for that use case since the standard do not let us install QoS-info changes ahead of time like we can with PCC rules. • Make sure the Cluster Manager's internal (private) network IP address can only be assigned to the host name “installer” in the /etc/hosts file. If this is not the case, backup/restore (env_import.sh, env_export.sh) can have access issues to pcrfclient01/pcrfclient02. • CSCus50571 — Statistics get truncated if Realm length is more than 16 characters Release Notes for Cisco Policy Suite for Release 7.0.5 20 Limitations and Restrictions If the qns.conf file is modified to include the auth-application-id for different protocols so that Realms are appended to the counter names, it was observed that the counter names gets truncated due to limitation on the current stat metric size. Each field has a fixed maximum length. Currently, this limit is 63 characters. Due to the above limitation, if the realms are more than 16 characters, the counter names get truncated. • The linux VM message.log files repeatedly report errors similar to: vmsvc [warning] [guestinfo] RecordRoutingInfo: Unable to collect IPv4 routing table. This is a known issue affecting ESXi 5.x. Currently, there is no workaround. The messages.log file entries are cosmetic and can be safely ignored. For more information, refer to: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&exter nalId=2094561 • Only for GR migration: After restarting migrated site if you observed QNSs processes are not coming up and qns's log showing below error: 2015-05-07 23:59:20,335 [pool-23-thread-4] WARN c.b.c.m.dao.impl.ShardInterface.run Unexpected error com.broadhop.exception.DataStoreIsNotAvailable: Data store is not available: Mongo DBCollection is null Fix: Move back primary DB to migrated site from other site and restart the QNS processes. • Balance EDR generation using the OSGi command line interface is not supported. • CPS/CPS 7.x onwards support HTTPS on 8443 port for Unified API access. To enable HTTP support (like pre-7.0) on 8080, refer to the section in CPS/CPS Operations Guide. CSCur61904 — After VM is deployed, sometimes the memory is not reserved Root Cause Analysis (RCA) During the deployment of VMs (deploy_all.py and deploy.sh), make sure that vCenter is not managing the ESX servers that hosts the VMs. If vCenter is managing, the VM deployed will not have memory reserved. Workaround During the deployment of VMs (deploy_all.py and deploy.sh), make sure that vCenter is not managing the ESX servers that host the VMs. Result if not followed: For VMs with large memory size, if the memory is more than 100 GB, VM would not boot. CSCus71718 — SVN Backup failing to restore on 2B2 PCRF Symptoms Using env_import.sh to import a backed up file fails. Workaround 1. In Cluster Manager, modify the following file: /etc/puppet/modules/qps/templates/etc/httpd/conf.d/subversion.conf 2. Locate the following line: Release Notes for Cisco Policy Suite for Release 7.0.5 21 Limitations and Restrictions Allow from ::1 127.0.0.1 <%= @masterSvnHost%> 3. Modify that line as follows: Allow from ::1 127.0.0.1 <%= @masterSvnHost%> <%= @clusterManagerHost%> 4. Save your changes. 5. Modify the following file: /etc/puppet/modules/qps/manifests/svnserver.pp 6. Add the following line as shown in the example below: $clusterManagerHost = "installer", $slaveSvnHost = "pcrfclient02", #only needed if you're the master $masterSvnHost = "pcrfclient01", #only needed if you're the slave $clusterManagerHost = "installer", $reposUrlPath = "/repos", 7. Save your changes. 8. Run the following commands: /var/qps/install/current/scripts/build/build_puppet.sh /var/qps/install/current/scripts//upgrade/reinit.sh CSCut21809 — Unable to collect IPv4 routing table messages observed in mongoxxx.log The linux VM message.log files repeatedly report errors similar to: vmsvc [warning] [guestinfo] RecordRoutingInfo: Unable to collect IPv4 routing table. This is a known issue affecting ESXi 5.x. Currently, there is no workaround. The messages.log file entries are cosmetic and can be safely ignored. For more information, refer to: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId =2094561 CSCuu06733 — mongod used by collectd causes /var to fill up Symptoms 1 - mongodb on port 27017 is using /var/log/mongo/mongod.log for logging. 2 - The log file has become so big, the pcrfclient is running out of space and may have stopped running. 3 - The /var/log/mongo/mongod.log file is not rotated. Conditions At some point the mongod process running on port 27107 was restarted using the service mongod restart (or stop/start) command. Workaround Use the following commands to remove the /etc/init.d/mongod file and create a new symbolic link. Then restart mongod. Release Notes for Cisco Policy Suite for Release 7.0.5 22 Limitations and Restrictions rm /etc/init.d/mongod ln -s /etc/init.d/collectd-27017 /etc/init.d/mongod service mongod restart You can verify this worked by checking for logging in /var/log/mongodb-27017.log, and NO logging in /var/log/.mongo/mongod.log. Common Vulnerabilities and Exposures (CVE) The following is the list of publicly known Common Vulnerabilities and Exposures (CVE) apply to this version of CPS: Vulnerability CVE Number Summary Technical Details Pacemaker 1.1.10 Pacemaker contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition on a targeted system. Updates are available. The vulnerability exists because the network socket used by the affected software fails to close a remote connection after a certain period of inactivity. An unauthenticated, remote attacker could exploit this vulnerability by connecting to the Pacemaker socket. When connected, the socket may wait for an infinite amount of time to perceive the authentication credentials, which could allow the attacker to block all other connection attempts, causing a DoS condition for legitimate users. subversion-1 CVE-2011-1752 .6.11 Apple has released a security advisory and updated software to address the Apache Subversion Server mod_dav_svn denial of service vulnerability. The vulnerability exists because the mod_dav_svn module fails to handle exceptional conditions when it processes the WebDAV and DeltaV protocols. An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted HTTP requests to the affected software. When the requests are processed, the mod_dav_svn module could dereference a NULL pointer, which may cause the affected software to terminate unexpectedly. Exploitation could result in a DoS condition. CVE-2010-3315 Apple has released a security update and updated software to address the Apache subversion server SVNPathAuthz security bypass vulnerability. The vulnerability is due to an implementation error in the affected software's WebDAV module, mod_dav_svn, that is used to grant access to portions of a repository. As a result, when the value for the SVNPathAuthz directive in the mod_dav_svn module is set to short_circuit, the affected software does not honor access rules that contain a repository name prefix in the statement. his flaw could allow a user to bypass the access rules and access restricted repository content. CVE-2013-028 An unauthenticated, remote attacker could exploit this vulnerability by submitting crafted requests to the targeted server. Exploitation could allow the attacker to read or write to certain restricted portions of the repository. Release Notes for Cisco Policy Suite for Release 7.0.5 23 Limitations and Restrictions Vulnerability CVE Number CVE-2013-1968 CVE-2013-1849 CVE-2013-1847 CVE-2013-1846 Summary Technical Details Red Hat has released a security advisory and updated packages to address the Apache Subversion FSFS repositories newline characters corruption vulnerability. CentOS has also released updated packages to address the vulnerability. The vulnerability exists because the affected software fails to validate the user-supplied filename while handling repository commits. Red Hat has released a security advisory and updated packages to address the Apache Subversion PROPFIND requests against activity URLs denial of service vulnerability. CentOS has also released updated packages to address this vulnerability. The vulnerability is in the mod_dav_svn/liveprops.c source file due to insufficient validation of user-supplied request. The affected software may not properly process the PROPFIND requests on activity URLs on a targeted system, which could cause a memory corruption error when a request maps to an invalid URL. Red Hat has released an additional security advisory and updated software to address the Apache Subversion mod_dav_svn LOCK request against nonexistent URLs denial of service vulnerability. CentOS has also released updated packages to address this vulnerability. The vulnerability is in the mod_dav_svn/lock.c source file of the SVN server module and is due to insufficient validation of user-supplied LOCK requests. The affected software could incorrectly execute a LOCK request against a URL for a nonexistent path or an invalid activity URL for the repository. This could lead to a memory corruption error, triggering the affected software to stop responding to legitimate requests. Red Hat has released an additional security advisory and updated software to address the Apache Subversion mod_dav_svn LOCK on requests denial of service vulnerability. CentOS has also released updated packages to address this vulnerability. The vulnerability is in the mod_dav_svn/lock.c source file of the SVN server module and is due to insufficient validation of user-supplied LOCK requests. The module incorrectly processes LOCK requests on activity URLs to map commits to the repository, which could allocate invalid memory to activity URLs even though they should be rejected with the LOCK method. This could lead to a memory corruption error that may result in an unresponsive module process. Release Notes for Cisco Policy Suite for Release 7.0.5 24 An authenticated, remote attacker could exploit the vulnerability by using a filename that contains a newline character (0x0a) and is committed to a repository using the FSFS format. This could cause the files system to corrupt and may cause unresponsive service to subversion users. An authenticated, remote attacker could exploit the vulnerability by transmitting crafted LOCK requests to the targeted system. Successful exploitation could allow the attacker to cause a DoS condition. An authenticated, remote attacker could exploit the vulnerability by transmitting crafted LOCK requests to the targeted system. Successful exploitation could allow the attacker to cause a DoS condition. An authenticated, remote attacker could exploit the vulnerability by transmitting crafted LOCK requests to the targeted system. Successful exploitation could allow the attacker to cause a DoS condition. Limitations and Restrictions Vulnerability CVE Number CVE-2011-1783 Summary Technical Details Apple has released a security advisory and updated software to address the Apache Subversion SVNPathAuthz denial of service vulnerability. The vulnerability exists because the mod_dav_svn module fails to properly process the SVNPathAuthz directive defined in the httpd.conf file when processing HTTP requests. If this directive is set to a value of short_circuit, the module erroneously enters into an infinite loop when querying for path-based authorization and consumes an overly large amount of memory resources. This behavior could be leveraged to prevent access to a Subversion server by using crafted HTTP requests. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted HTTP requests to the targeted system. Processing such requests could consume excessive amounts of system memory, leading to a DoS condition on the server. CVE-2011-0715 CVE-2013-2088 Apple has released a security update and updated software to address the Apache Subversion Server mod_dav_svn denial of service vulnerability. The vulnerability is due to improper handling of lock token HTTP requests by the mod_dav_svn module used by the affected software. A lock token is a unique identifier that consists of long strings for each lock that grants exclusive access to one user to change a file. Apache Subversion contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code on the targeted system. Updates are available. The vulnerability exists in the contrib/hook-scripts/check-mime-type.pl script used in the affected software. The script fails to escape argv arguments starting with a hyphen to the svnlook utility and could cause an error in the script. Later, a different script, contrib/hook-scripts/svn-keyword-check.pl script is used to parse filenames from the output of the command, svnlook changed, and passes the output to a shell command. An unauthenticated, remote attacker could exploit this vulnerability by sending an HTTP request that contains a lock token to the affected software. When the request is processed, the mod_dav_svn module may dereference a NULL pointer, causing the affected software to terminate unexpectedly, resulting in a DoS condition. An authenticated, remote attacker could exploit this vulnerability by making crafted requests to the vulnerable scripts. If successful, it could allow the attacker to execute arbitrary shell commands on the targeted system. Release Notes for Cisco Policy Suite for Release 7.0.5 25 Limitations and Restrictions Vulnerability CVE Number CVE-2013-2112 CVE-2011-1921 Summary Technical Details Red Hat has released a security advisory and updated packages to address the Apache Subversion svnserve remote denial of service vulnerability. CentOS has also released updated packages to address the vulnerability. The vulnerability is in the accept() function call of the main.c source file of the affected software. While handling the TCP connection request, the affected function call performs insufficient checks on aborted connections and will treat them as critical errors, print an error message, and exit. This error could cause the affected process to stop responding to legitimate requests. Apple has released a security advisory and updated software to address the Apache Subversion Server mod_dav_svn information disclosure vulnerability The vulnerability is due to incorrect authorization of path-based file access subrequests by the affected software. The Apache authorization subsystem partially processes a subrequest, indicating whether a request was successful or unsuccessful with a status code. When processing certain crafted URLs, Apache could respond with a status code that could be incorrectly processed by the mod_dav_svn module to allow unauthorized access to protected resources. An unauthenticated, remote attacker could exploit the vulnerability by transmitting crafted TCP requests to the targeted system. When a request is processed, it could cause the affected system to stop responding to legitimate users and cause a DoS condition on the targeted system. An unauthenticated, remote attacker could exploit this vulnerability by transmitting certain crafted HTTP requests to the system. If successful, the attacker could gain unauthorized access to sensitive information on the system. CVE-2010-4644 CVE-2013-1845 CentOS has released updated packages to address the Apache Subversion svn commands remote denial of service vulnerability. The vulnerability exists because the affected software improperly handles svn commands in specific repository files. The commands could cause a memory leak error when displaying the additional merge history of the repository files. Red Hat has released a security advisory and updated packages to address the Apache Subversion mod_dav_svn excessive memory vulnerability. CentOS has also released updated packages to address this vulnerability. The vulnerability exists within the mod_dav_svn/deadprops.c source file of the SVN server module due to insufficient validation of user-supplied request. Due to this flaw, the affected module could assign uncontrolled memory resources to module processes, while setting or deleting a large number of properties on a node (file or directory) in the SVN repository. This could lead to exhaustion of memory available to other module processes. Release Notes for Cisco Policy Suite for Release 7.0.5 26 An unauthenticated, remote attacker could exploit the vulnerability by executing the svn blame or svn log commands on the targeted system via the svn clients. An exploit could cause the application to consume available memory resources, which could cause the affected software to become unresponsive, resulting in a DoS condition. An authenticated, remote attacker could exploit the vulnerability by transmitting crafted node modification requests such as PROPPATCH to the targeted system. A successful exploit could allow the attacker to cause the affected server to stop responding to legitimate users. CDETS Vulnerability CVE Number CVE-2010-4539 CVE-2013-4505 Summary Technical Details CentOS has released updated packages to address the Apache Subversion Server SVNListParentPath denial of service vulnerability. The vulnerability exists due to improper handling of user requests for displaying the Subversion repositories on an affected system. Apache Subversion contains an issue that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. An issue in the mod_dontdothat component of Apache Subversion could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An unauthenticated, remote attacker could exploit this vulnerability by making crafted requests to display the Subversion repositories on the affected system. If successful, it could cause the affected system to stop responding to user requests, resulting in a DoS condition. The issue exists because the mod_dontdothat component of the affected software fails to restrict REPORT requests from serf-based clients. An unauthenticated, remote attacker could exploit this issue to cause a targeted device to consume excessive amounts of system resources, resulting in a DoS condition. Apache has confirmed the vulnerability and released software updates CDETS The following sections lists Open CDETS and Resolved CDETS for Cisco Policy Suite. For your convenience in locating CDETS in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation might be necessary to provide the most complete and concise description. Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website: https://tools.cisco.com/bugsearch To become a registered cisco.com user, go to the following website: https://tools.cisco.com/RPF/register/register.do?exit_url= Open CDETS The following table lists the open CDETS in the CPS 7.0.5 release. CDETS ID Headline CSCuq92782 release train archive is double-compressed CSCur02781 Separate configuration export. CSCur55771 QPS - No alarm for primary Sp link down, and coming up CSCus24935 \“Data store is not available\” error is observed during plain longevity CSCus33071 send_diameter stat names: bulkstats uses dot, whisper uses underscore. Release Notes for Cisco Policy Suite for Release 7.0.5 27 CDETS CDETS ID Headline CSCus35785 Specific Action charging-correlation-exchange (1) is not working CSCus50941 qns startup script: /opt/broadhop/qns-1/plug-ins missing files CSCus60434 QPS responds with 2001 in CCRI response but doesn't create session CSCut34627 about.sh: Wrong value for 'QPS Installer Version' CSCut43624 Forwarded QNS component notification LowMemoryClear to corporate_nms_ip CSCut48523 CCA-I does not come when client's realm is not present in inbound realm CSCut88042 start-session of type "null" does not fail when balance is depleted CSCut91522 Problem with CDR - Difference between DPI and PCRF CSCut98377 QPS/CPS Undocumented Peer Statistics Bulk Stats CSCut98969 db.licencedfeats entry bouncing in admin db CSCuu06733 mongod used by collectd causes /var to fill up CSCuu10127 bulkLoad.sh script throws wrong snmp trap. Also a has cut command error CSCuu26469 Merge missing BalanceReportingManager to Policy Intel 2.0, 2.2, and 2.3 Resolved/Verified CDETS The following table lists the resolved/verified CDETS in the CPS 7.0.5 release. CDETS ID Headline CSCuq53049 Policy Builder Rule Base Corruption CSCuq66027 PB hosted documentation not updated by binary installer CSCur01720 Extra Gx-RAR when VoLTE session is failed due to QoS validation CSCur08138 Error returned from LB when diameter message was sent CSCur19567 Outbound Message Overload handing Causing Performance degradation CSCur20317 Empty Flow-Information AVP added to Charging-Rule-Definition AVP CSCur32238 QPS is not aborting Rx session when GW is not responding to the Gx-RAR CSCur32244 QPS is not including RAT and IPCAN TYPE in Rx-RAR for RAT-CHANGE trigger CSCur55753 QPS - No alarm for primary Sy down, and coming up CSCur55765 QPS - No alarm for both primary & secondary Sy down, and coming up CSCur57660 clear, count and list_mongo_session scripts are not working properly CSCur63468 CCR-U RAT-Type is not updating in session without Rat-type event CSCur64496 QPS is sending incorrect flag for couple of diameter AVP CSCur85551 Policy Intel Feature has issues writing CDRs CSCur86112 QPS - Corosync not under control of monit CSCur90077 QPS/OCS redundant database design CSCur95917 Remove and reinstall QoS-Group/charging rules for monitoring change CSCus06871 Statistics counters for different session counts (Rx, Sy Prime, Sp, Sd) CSCus11759 Increase in Session Cache DB CPU usage Release Notes for Cisco Policy Suite for Release 7.0.5 28 CDETS CDETS ID Headline CSCus12475 ULI and Rule Activation Time Issue CSCus15523 No SNMP traps generated when L3 LDAP connections are lost CSCus16095 TAC: tzdata update for java on QPS instances CSCus41153 7.0.1 in service migration drops all traffic CSCus43765 Error opening subscriber with session in control center. CSCus50967 Error processing policy request: Invalid Specific-Action value 0 CSCus50997 Specific-action ACCESS_NETWORK_INFO_REPORT is not working CSCus51439 QPS has a dummy config under Diameter-Configuration. CSCus54375 SRVCC Audio, Video, MSRP -Rx-RAR for ps-to-cs HO Audio without flows AVP CSCus54423 IPME 4G to 3G HO - Getting resource failure indication in Rx-RAR CSCus54651 RAR not generated for anonymous subscriber when User is provisioned CSCus61262 Could not perform Gx session binding5065 on QPS 7.0 CSCus63451 IPME charging rules not included in Gx charging rules counters CSCus63467 Rx dedicated bearer recreated with different QoS (multiple Rx sessions) CSCus70040 BearerControlMode template not changing mid session for CCR-u CSCus70387 Unnecessary Rx-RAR CSCus70420 Unnecessary Gx-RAR CSCus70519 Missing counters in the csv CSCus71604 PCRF not sending ASR to PCSCF on RESOURCE_ALLOCATION_FAILURE CSCus71723 Rx AAR counters getting truncated CSCus74258 EDR replication configuration error causing high CPU on LB and QNS CSCus77526 dsTest gx session-ids don't work with SY prime CSCus77669 BST and SDS session count removal in DB display CSCus77935 Lb Endpoint Disconnecting CSCus79672 Split Counter correction in Rx Dynamic Rule CSCus81429 QNS Server connection error to LB after Server Reboot CSCus83060 gx outbound peers not retried after overflow failure CSCus87933 NDA40_QPS CCA-I has QCI value in Two AVP's for IMS default bearer attach CSCus90088 Diameter Rating Failed Being Returned Over Gy Interface CSCus90372 QPS send ASR with wrong “BEARER_RELEASED (0)” while ALLOCATION_FAILURE CSCus91488 validation failure CSCus92674 Data Caching Error in Performance Testing CSCus93741 [NUMD] custom soap/api fails remote addPackageInstance CSCus93886 QPS is not sending blank acwsporurl avp in RAR CSCus97551 update the jvm.conf files CSCut01597 Typo in error msg: does not have active 0MQ endpoint CSCut04509 null pointer exception in DiameterSyPrimeDeviceMgr CSCut04806 QPS not sending STA when ANIR is enabled Release Notes for Cisco Policy Suite for Release 7.0.5 29 CDETS CDETS ID Headline CSCut04884 Root password change doesn't apply to installer VMs. CSCut05020 QPS not sending rule removal following RAR with ADC rule remove CSCut05997 Regression: Wrong QCI received for MPS regression cases CSCut06521 showPeers OSGI command does not properly format output CSCut07164 TDF Instance ID ADC rule removal CSCut07167 Gx rule removal triggered from Sd CSCut08556 Only 1 Sd Destination Realm in QPS can be provisioned - Sd Related CSCut10473 Two consecutive “__” for “gx_charging_rule” counter CSCut11383 QPS should support diameter realm wildcarding - Part 1 CSCut11480 PCRF sending error 5xxx (5002/5003) when QNS cannot connect to SM CSCut11484 Leaking PAS connections (outbound peers) CSCut12401 Failover to secondary LDAP Server triggers new connections whenever max CSCut12895 QPS performance degraded after pri or sec session mgr failure CSCut14475 QPS Sending multiple ASR messages after IRAT during E911 call. CSCut19250 Redirect-Support AVP is required to disable redirection on PCEF CSCut19428 LDAP timeout triggers unbind request on tcp stream CSCut21867 Error on both the lbs in the output of top_qps.sh CSCut23790 Error in Policy Builder when adding SCE configuration in 7.0 CSCut23957 Syslog and MongoDB logs high space Usage filling /var Filesystem CSCut24918 QPS responding with 2001 in CCA-I for subscriber non-existent CSCut26155 LB not sending CCR-I response Error in process request NPE CSCut26263 SRVCC Failure-Code is not matching PS_TO_CS_HANDOVER CSCut29646 Incorrect Gy Bulk Stat CSCut29774 Bulk Stats Diameter Action Counters Contain Incorrect Values CSCut29795 Bulk Stats-Charging Rule Name Not Present: Gx ChargeRule Install/Remove CSCut32071 Enhance Logging Logic and Allow for Configurable Wait Times CSCut32083 AKR: AF Application ID CSCut38403 GR Migration : After migration not able to ssh lb01 and qns05 VM's CSCut38449 GR Migration : After migration backup DB's not restored CSCut39265 Missing Information In TAL Logs CSCut39663 QPS is not correctly encoding 3GPP-SGSN-Address AVP in Sd -TSR CSCut47437 Copyright Year in About Policy Builder CSCut48145 Retry non-2001 errors codes Gx and Sy CSCut56501 logstash daemon causing huge CPU load (99%) CSCut58182 TAL logs use incorrect format for some AVPs & numerical values CSCut58556 PCRF is sending wrong Service ID 82 for video call in Gx RAR CSCut58812 Sy prime realm is empty when there is change in PB configuration. CSCut60365 RMS Issue: Seeing timeouts and 5012s error at while (Gx-Sp-Ss) load test. CSCut62690 CPS give result code 5012 for Rx message when Sd session available Release Notes for Cisco Policy Suite for Release 7.0.5 30 Related Documentation CDETS ID Headline CSCut66097 QPS is not sending TSR towards MSP for Toggle Subscriber CSCut66097 QPS is not sending TSR towards MSP for Toggle Subscriber CSCut67776 QPS sending twoSESSION ID AVP in one Sy-AAR message sent to AC node CSCut68011 QPS-Charging Rule name for bearers different in 7.0.4 vs. previous ver. CSCut68077 KPI Stats are struck for the Grafana CSCut68077 KPI Stats are struck for the Grafana CSCut68225 QPS doesn't properly use the peer priority configuration CSCut68423 Destination Hosts Pattern doesn't work after upgrading to 7.0.4 CSCut68472 Unable to set result code when terminating the session CSCut70214 diagnostics.sh frequently reports insufficient memory on the VMs CSCut85404 Auth-Application-Id AVP added to Rx STA CSCut86311 The “current” directory link is not rollback CSCut88569 session count script works for commented out set in mongoConfig.cfg CSCut89327 reinit - pp_status is not working CSCut93849 Stats XLS: set_session_count_total.records has no description CSCut98747 OutOfMemory after performance test crashed CSCut99144 QPS send wrong disconnect-cause in DPR CSCuu04644 Gx proxy device manager stores AVPs in the session CSCuu09672 QPS Mongo DB reaching maximum connections CSCuu15005 qps syslog proxy requires /etc/broadhop CSCuu15045 deploy.sh - vmware commands sometimes get errors CSCuu20693 lbs puppet has incorrect dependencies for VIP and SNMP CSCuu33373 separate ssh shutdown commands for migration script Related Documentation This section contains information about the documentation available for Cisco Policy Suite. Release-Specific Documents Refer to the following documents for better understanding of the Cisco Policy Suite. • Cisco Policy Suite 7.0.5 Alarming and SNMP Guide • Cisco Policy Suite 7.0.5 Backup and Restore Guide • Cisco Policy Suite 7.0.5 Installation Guide • Cisco Policy Suite 7.0.5 Mobile Configuration Guide • Cisco Policy Suite 7.0.5 Operations Guide • Cisco Policy Suite 7.0.5 Policy Reporting Guide • Cisco Policy Suite7.0.5 Release Notes Release Notes for Cisco Policy Suite for Release 7.0.5 31 Obtaining Documentation and Submitting a Service Request • Cisco Policy Suite 7.0.5 Troubleshooting Guide • Cisco Policy Suite 7.0.5 Wi-Fi Configuration Guide The documents can be downloaded from the following links: • Common Guides: http://www.cisco.com/c/en/us/support/wireless/quantum-policy-suite-bng/products-installation-an d-configuration-guides-list.html • Mobile Configuration Guide: http://www.cisco.com/c/en/us/support/wireless/quantum-policy-suite-mobile/products-installationand-configuration-guides-list.html • Wi-Fi Configuration Guide: http://www.cisco.com/c/en/us/support/wireless/quantum-policy-suite-wi-fi/products-installation-a nd-configuration-guides-list.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service. This document is to be used in conjunction with the documents listed in the Obtaining Documentation and Submitting a Service Request section. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2015 Cisco Systems, Inc. All rights reserved. Release Notes for Cisco Policy Suite for Release 7.0.5 32
© Copyright 2026 Paperzz